Computer System Security

By
Dr. Shruti Bharadwaj
 Unit 1

❑ Introduction
❑ What is Security? What I have to learn?
❑ Sample Attacks
❑ Marketplace for Vulnerabilities
❑ Error 404 Hacking digital India part I chase
 ---Continue

❑Hijacking & Defense

❖ Control Hijacking
❖ More on Control Hijacking
o Buffer-Overflow
o Integer Overflow
o Format String Vulnerability
❑Defense Against Control Hijacking
❖ Plate-form Defense
❖ Run-time Defense
❑Advanced Control Hijacking Attacks
 Introduction

❖ Computer security basically is the protection of computer

systems and information from harm, theft, and unauthorized
use. It is the process of preventing and detecting
unauthorized use of your computer system.
❖ Often people confuse computer security with other related
terms like information security and cyber Security. One way
to ascertain the similarities and differences among these
terms is by asking what is being secured.
 Introduction

❖ Information security is securing information from

unauthorized access, modification & deletion .
❖ Computer Security means securing a standalone machine by
keeping it updated and patched .
❖ Cyber Security is defined as protecting computer systems,
which communicate over the computer networks.
 --Continue
❖ It's important to understand the distinction between
these words, though there isn't necessarily a clear
consensus on the meanings and the degree to
which they overlap or are interchangeable.
❖ Computer security basically is the protection of
computer systems and information from harm, theft,
and unauthorized use.
 --Continue
❖ It is the process of preventing and detecting
unauthorized use of your computer system.
❖ Often people confuse computer security with other
related terms like information security and cyber
security.
❖ One way to ascertain the similarities and differences
among these terms is by asking what is being
secured.
 Why is Security Hard?

❖Information management systems are a complex, "target-

rich" environment comprising: hardware, software,
storage media, peripheral devices, data, people. Principle
of Easiest Penetration: an intruder will use any available
means to subvert the security of a system.
 Why is Security Hard?

❖In security, not only do you have to find "bugs" that

make the system behave differently than expected, you
have to identify any features of the system that are
susceptible to misuse and abuse, even if your programs
behave exactly as you expect them to.
❖The hardest thing about security is convincing yourself
that you've thought of all possible attack scenarios, before
the attacker thinks of them.
The components of a computer system that needs
to be protected are:
❖Hardware, the physical part of the computer, like the
system memory and disk drive.

❖Firmware, permanent software that is etched into a

hardware device's nonvolatile memory and is mostly
invisible to the user.

❖Software, the programming that offers services, like

operating system, word processor, internet browser to the
user
 CIA Tried –Security Goals

Computer security is mainly concerned with three

main areas:-
➢Confidentiality is protecting information from being
modified by unauthorized parties.

➢ Integrity is protecting information from being modified

by unauthorized parties.

➢ Availability is ensuring that information is available

only to the intended audience.
 ----Continue
❑In simple language, computer security is making sure
information and computer components are usable but still
protected from people or software that shouldn't access it
or modify it.
❑Three Security Goals Are Confidentiality, Integrity, and
Availability.
All information security measures try to address at least
one of three goals:
• Protect the confidentiality of data
• Preserve the integrity of data
• Promote the availability of data for authorized use
 Computer Security Threats

❑ Computer security threats are possible dangers that can

prevent your computer from functioning normally.

❑ Nowadays, cyber threats are constantly increasing as

the world is digitizing. The most harmful types of
computer security threats can be described next.
 Viruses

❑ A computer virus is a malicious program that is uploaded

to a user's computer without their knowledge.

❑ It replicates and infects files and programs on the user's

computer.

❑ The ultimate goal of the virus is to ensure that the victim's

computer can never function properly or even at all.
 Computer Worm

A computer worm is a software program that can copy itself

from one computer to another without human interaction.
The potential risk is that it takes up space on your
computer's hard drive, as the worm can replicate in a larger
volume and at a greater speed.
 Phishing
❑ Posing as a trustworthy person or business, phishers
attempt to steal sensitive financial or personal
information through fraudulent emails or instant
messages.

❑ Unfortunately, phishing is very easy to do. You are

fooled into believing that this is a legitimate mail
and can enter your personal information.
 Botnet

❑ A botnet is a group of computers connected to the

Internet that have been attacked by a hacker using a
computer virus.

❑ An individual computer is called a "zombie

computer". This threat results in the victim's
computer being used by the bot for malicious
activities and for larger scale attacks such as DDoS
 Trojan Virus(Trojan Horse)
❑Trojan horse or Trojan is a type of malware that is often
disguised as legitimate software.

❑Trojans can be employed by cyber-thieves and hackers

trying to gain access to users' systems.

❑Users are typically tricked by some form of social

engineering into loading and executing Trojans on their
systems.

❑Once activated, Trojans can enable cyber-criminals to spy

on you, steal your sensitive data, and gain backdoor access
to your system.
 Keylogger

Also known as a keystroke logger, keyloggers can track the

real-time activity of a user on his computer. It keeps a record
of all the keystrokes made by user keyboard. Keylogger is also
a very powerful threat to steal people's login credential such as
username and password.
 Spyware

Spyware is one of the most common threats to internet users.

Once installed, it monitors internet activity, tracks login
credentials and spies on sensitive information.
The primary goal of spyware is usually to obtain credit card
numbers, banking information and passwords.
 Ransomware

Ransomware is a type of malware that is designed to block

user access from own system until a ransom fee is paid to
ransomware creator.
Ransomware is a lot dangerous than a regular malware and
spread through phishing emails having infected attachments.
Ransomware has emerged over the last few years and can
attack individuals or organizations.
 Malware

Malware is an umbrella term that is used to describe all

types of malicious software.
Malware can be used by attackers to perform variety of
malicious actions like spying on the target using spyware,
destroying data and resources, causing error in the system
and slow down the performance.
Virus, Trojan horses, worms and spyware are the various
types of malware along with a few others.
 DoS
❑ Denial-of-service attack is a security event that occurs when an attacker prevents
legitimate users from accessing specific computer systems, devices, services or
other IT resources.
❑ Denial-of-service (DoS) attacks typically flood servers, systems or networks with
traffic in order to overwhelm the victim's resources and make it difficult or
impossible for legitimate users to access them.
❑ While an attack that crashes a server can often be dealt with successfully by simply
rebooting the system, flooding attacks can be more difficult to recover
❑ It can be done by transmitting a large number of packets to a vulnerable network
service from different Internet Protocol (IP) addresses in order to overwhelm the
service and make it unavailable to legitimate users.
 Marketplace for Vulnerabilities

Vulnerability is a cyber-security term that refers to a flaw in a system that can leave
it open to attack. Vulnerable consumers fail to understand their preferences and/or
lack the knowledge, skills, or freedom to act on them. The aim is to significantly
replace trial and error with a robust understanding of markets, markets habitually
governed by social virtues.

In marketplace, money can be earned by selling the vulnerabilities. In this regard we

have white hat hackers and black hat hackers.
 --Continue

Types of attacks in network security

There are two main types of network attacks:

Passive: this is when sensitive information is screened and monitored,
potentially compromising the security of enterprises and their customers.
Active: this is when information is altered by a hacker or destroyed entirely.

Mobile Security Attacks:

Mobile Security as a concept deals with the protection of our mobile devices
from possible attacks by other mobile devices, or the wireless environment that
the device is connected to.
 --Continue
Phishing (pronounced: fishing) is an attack that attempts to steal your money, or your
identity, by getting you to reveal personal information -- such as credit card numbers, bank
information, or passwords -- on websites that pretend to be legitimate.
Social engineering :is the term used for a broad range of malicious activities accomplished
through human interactions. It uses psychological manipulation to trick users into making
security mistakes or giving away sensitive information. Social engineering attacks happen in
one or more steps.
A man in the middle (MITM) attack is a general term for when a perpetrator positions
himself in a conversation between a user and an application—either to eavesdrop or to
impersonate one of the parties, making it appear as if a normal exchange of information is
underway.
The goal of an attack is to steal personal information, such as login credentials, account
details and credit card numbers. Targets are typically the users of financial applications,
SaaS businesses, e-commerce sites and other websites where logging in is required.
 Control hijacking
1. Hijacking is a type of network security attack in which the attacker takes control of a
communication .
2. In hijacking ( also known as a man in the middle attack ) , the perpetrator takes control
of an established connection while it is in progress .
3. The attacker intercepts messages in a public key exchange and then retransmits them ,
substituting their own public key for the requested one , so that the two original parties
still appear to be communicating with each other directly .
4. The attacker uses a program that appears to be the server to the client and appears to be
the client to the server.
5. This attack may be used simply to gain access to the messages , or to enable the attacker
to modify them before retransmitting them .
6. Attacker's goal in control hijacking : takeover target machine ( for example web server
) by Execute arbitrary code on target by hijacking application control flow.
Attacker Needs to Perform Control Hijacking

❑ To understand C functions , stack, the heap.

❑ How to made system call.
❑ The exec() System call.
❑ CPU and OS running on target machine.
There are three types of control hijacking in computer security :

Types of Control Hijacking Attack

1. Buffer overflow attacks

2. Integer overflow attacks

3. Format string vulnerabilities

 Buffer Overflow Attack

❑A buffer is a temporary area for data storage. When

more data (than was originally allocated to be stored)
gets placed by a program or system process, the extra
data overflows.
❑It causes some of that data to leak out into other
buffers, which can corrupt or overwrite whatever data
they were holding.
❑In a buffer-overflow attack, the extra data sometimes
holds specific instructions for actions intended by a
hacker or malicious user; for example, the data could
trigger a response that damages files, changes data or
unveils private information.
 --Continue

❑ A buffer overflow attack typically involves violating programming languages and

overwriting the bounds of the buffers they exist on. Most buffer overflows are
caused by the combination of manipulating memory and mistaken assumptions
around the composition or size of data.

❑ A buffer overflow vulnerability will typically occur when code:

▪ Is reliant on external data to control its behavior

▪ Is dependent on data properties that are enforced beyond its immediate scope

▪ Is so complex that programmers are not able to predict its behavior

accurately
 Buffer Overflow Exploits

❑ The buffer overflow exploit techniques a hacker uses depends on the architecture and
operating system being used by their target.
❑ However, the extra data they issue to a program will likely contain malicious code that
enables the attacker to trigger additional actions and send new instructions to the
application.
❑ For example, introducing additional code into a program could send it new instructions
that give the attacker access to the organization’s IT systems.
❑ In the event that an attacker knows a program’s memory layout, they may be able to
intentionally input data that cannot be stored by the buffer.
❑ This will enable them to overwrite memory locations that store executable code and
replace it with malicious code that allows them to take control of the program.
 Buffer Overflow Consequences

Common consequences of a buffer overflow attack include the following:

❑System crashes: A buffer overflow attack will typically lead to the system
crashing. It may also result in a lack of availability and programs being put
into an infinite loop.
❑Access control loss: A buffer overflow attack will often involve the use of
arbitrary code, which is often outside the scope of programs’ security
policies.
❑Further security issues: When a buffer overflow attack results in arbitrary
code execution, the attacker may use it to exploit other vulnerabilities and
subvert other security services.
 Types of Buffer Overflow Attacks

There are several types of buffer overflow attacks that attackers use to exploit
organizations’ systems. The most common are:
❑ Stack-based buffer overflows: This is the most common form of buffer overflow
attack. The stack-based approach occurs when an attacker sends data containing
malicious code to an application, which stores the data in a stack buffer. This
overwrites the data on the stack, including its return pointer, which hands control of
transfers to the attacker.
❑ Heap-based buffer overflows: A heap-based attack is more difficult to carry out than
the stack-based approach. It involves the attack flooding a program’s memory space
beyond the memory it uses for current runtime operations.
 How to Prevent Buffer Overflows

❑Application developers can prevent buffer overflows by building security

measures into their development code, using programming languages that
include built-in protection, and regularly testing code to detect and fix errors.
❑One of the most common methods for preventing buffer overflows is
avoiding standard library functions that have not been bounds-checked,
which includes gets, scanf, and strcpy.
❑Another common method is to prevent buffer overruns by using bounds-
checking that is enforced at runtime. This automatically checks that the data
written to a buffer is within the appropriate boundaries.
 ----Continue

❑ Modern operating systems now deploy runtime protection

that enables additional security against buffer overflows.
❑ This includes common protection like:
Address space layout randomization (ASLR): Buffer overflow
attacks typically need to know where executable code is
located. ASLR moves at random around locations of data
regions to randomize address spaces, which makes overflow
attacks almost impossible.
 ---Continue
❑Data execution prevention: This method prevents an attack from being
able to run code in non-executable regions by flagging areas of memory as
executable or non-executable.

❑Structured exception handling overwrite protection (SEHOP): Attackers

may look to overwrite the structured exception handling (SEH), which is a
built-in system that manages hardware and software exceptions. They do
this through a stack-based overflow attack to overwrite the exception
registration record, which is stored on the program’s stack. SEHOP
prevents attackers’ malicious code from being able to attack the SEH and
use its overwrite exploitation technique.

❑Implementing security measures around development code and operating

systems is not enough to protect organizations’ systems. When a buffer
overflow vulnerability is discovered, it is crucial to quickly patch the
software and ensure it is made available to all users.
 Integer Overflow Attack

Integer Overflow also known as wraparound, occurs when an arithmetic

operation outputs a numeric value that falls outside allocated memory space
or overflows the range of the given value of the integer. Mostly in all
programming languages, integers values are allocated limited bits of storage.

For example, we have a 16-bit integer value which may store an unsigned
integer ranging from 0 to 65535, or signed integer ranging from -32768 to
32767. So, during an arithmetic operation, if the results require more than the
allocated space (like 65535+1), the compiler may: completely ignore the error
caused, or abort the program.
 Format String Vulnerability
❑ A format string vulnerability is a bug where user input is passed as the format argument
to printf, scanf, or another function in that family.
❑ The format argument has many different specifies which could allow an attacker to leak data if
they control the format argument to printf. Since printf and similar are variadic functions, they
will continue popping data off of the stack according to the format.
❑ For example, if we can make the format argument "%x.%x.%x.%x", printf will pop off four
stack values and print them in hexadecimal, potentially leaking sensitive information.
❑ printf can also index to an arbitrary "argument" with the following syntax: "%n$x" (where n is
the decimal index of the argument you want).
❑ While these bugs are powerful, they're very rare nowadays, as all modern compilers warn
when printf is called with a non-constant string.
 -----Continue (Example)

#include <stdio.h>
#include <unistd.h>
int main()
{ int secret_num = 0x8badf00d;
char name[64] = {0}; read(0, name, 64);
printf("Hello ");
printf(name);
printf("! You'll never get my secret!\n");
return 0; }
Due to how GCC decided to lay out the stack, secret_num is actually at a lower address on the stack than name, so we only have to go to the 7th "argument" in printf to leak the secret:

$ ./fmt_string %7$llx
Hello 8badf00d3ea43eef
! You'll never get my secret!